Method for realizing convergent wapi network architecture with split mac mode

ABSTRACT

A method for realizing a convergent Wireless Local Area Networks (WLAN) Authentication and Privacy Infrastructure (WAPI) network architecture with a split Medium Access Control (MAC) mode involves the steps: a split MAC mode for realizing WLAN Privacy Infrastructure (WPI) by a wireless terminal point is constructed through separating the MAC function and the WAPI function of the wireless access point apart to the wireless terminal point and an access controller; integration of a WAPI and a convergent WLAN network system architecture is realized under the split MAC mode that the wireless terminal point realizes WPI; the association connection process is performed among a station point, a wireless terminal point and an access controller; the process for announcing the start of performing the WLAN Authentication Infrastructure (WAI) protocol between the access controller and the wireless terminal point is performed; the process for performing the WAI protocol between the station point and the access controller is performed; the process for announcing the end of performing the WAI protocol between the access controller and the wireless terminal point is performed; the secret communication process is performed between the wireless terminal point and the station by using WPI.

This application claims priority to Chinese Patent Application No.:200910021422.6, filed with the Chinese Patent Office on Feb. 27, 2009and entitled “Method for implementing convergent WAPI networkarchitecture in separated MAC mode”, which is hereby incorporated byreference in its entirety.

FIELD

The present invention relates to a method for implementing a convergentWAPI network architecture in a separated MAC mode.

BACKGROUND

A wireless Access Point (AP) in a Wireless Local Area Network (WLAN) ofan autonomous architecture is fully deployed and terminated with the GB15629.11 function and managed separately as a separate entity over thenetwork. The autonomous architecture is commonly adopted for a WLANcurrently designed in the Wireless Local Area Network (WLAN)Authentication and Privacy Infrastructure (WAPI), but a networkoperation mode of this autonomous architecture has gradually become anobstacle restricting the development of wireless technologies due to itsinherent drawbacks along with an increasing scale at which the WLAN isdeployed.

Firstly the AP which is an Internet Protocol (IP) addressable device hasto be separately managed (including monitored, configured, controlled,etc.) in the WLAN of the autonomous architecture. When the network isdeployed at a large scale, a large number of APs may give rise to atremendous management overhead resulting in a heavy burden upon thenetwork. This phenomenon may be more pronounced especially ifconfigurations of the APs over the network are managed differently fromeach other, which may discourage the development of wirelesstechnologies.

Secondly it is somewhat difficult to ensure consistent configurationparameters of all the APs in the WLAN of the autonomous architecturebecause the majority of the configuration parameters for the APs may beparameters to be configured dynamically in addition to staticparameters. It may be burdensome and even impossible to make an effortfor timely updating of dynamic configurations of the APs throughout thelarge-scale WLAN.

Thirdly a wireless transmission medium is a shared resource in the WLAN,and in order to improve the performance of the network, the respectiveAPs shall be monitored in real time and the configurations of these APsshall be updated dynamically according to the current usage of theshared medium, but manual configuring of the AP parameters related tothe wireless transmission medium may consume a lot of human and materialresources.

Fourthly it is also difficult to secure an access to the network andprevent an access of an illegal AP in the WLAN of the autonomousarchitecture. An AP is typically deployed in such a position that makesit difficult to protect the AP, and once the AP is stolen, securityinformation loaded thereon may be leaked, and the security of thenetwork may be endangered.

In summary, a heavy management burden upon the network may result frommonitoring, configuring and controlling of the APs in the WLAN of theautonomous architecture, especially when the WLAN is deployed at a largescale. Furthermore it is also rather difficult to maintain consistentconfigurations of the APs. Furthermore the shared and dynamic wirelesstransmission medium requires consistent cooperation of the APs over thenetwork to strive for the maximum network performance and the minimumwireless interference, and this will be more demanding for configurationmanagement of the APs. Security is one of important factors to beconsidered when the wireless network is designed, and large-scaledeployment may also pose a great challenge to the security of the WLAN.As can be apparent, the operation mode over the WLAN of the autonomousarchitecture has been incapable of accommodating a demand for deployinga large-scale network, and it is highly desired to design a WAPI basedconvergent WLAN network architecture, i.e., a WAPI thin AP architecture.

SUMMARY

An object of the invention is to obviate the drawbacks of the foregoingautonomous WLAN network architecture by providing a method forimplementing a convergent WAPI network architecture in a separated MACmode in which a Wireless Local Area Network (WLAN) PrivacyInfrastructure (WPI) is implemented by a Wireless Terminal Point (WTP),where a Medium Access Control (MAC) function and a WAPI function of APsare divided for centralized control and management of the APs throughoutthe network to accommodate a demand for deploying a large-scale WLAN.

In a technical solution of the invention, a method for implementing aconvergent WAPI network architecture in a separated MAC mode isprovided, wherein the method includes the following operations:

1) constructing a separated MAC mode in which a WPI is implemented by awireless terminal point: separating an MAC function and a WAPI functionof a wireless access point onto the wireless terminal point and anaccess controller; and

2) integrating the WAPI and a convergent WLAN network architecture inthe separated MAC mode in which the WPI is implemented by the wirelessterminal point by:

2.1) performing an association connection process between a station andboth the wireless terminal point and the access controller;

2.2) performing a Wireless Local Area Network (WLAN) AuthenticationInfrastructure (WAI) protocol execution commencement announcementprocess between the access controller and the wireless terminal point;

2.3) performing a WAI protocol execution process between the station andthe access controller;

2.4) performing a WAI protocol execution termination announcementprocess between the access controller and the wireless terminal point;and

2.5) performing an encrypted communication process between the wirelessterminal point and the station through the WPI.

The operation 2.1) includes:

2.1.1) the station listens passively to a beacon frame of the wirelessterminal point and acquires parameters of the wireless terminal pointincluding WAPI information elements; or the station transmits on its owninitiative a probe request frame to the wireless terminal point, thewireless terminal point transmits a probe response frame to the stationupon reception of the probe request frame of the station, and thestation acquires the parameters of the wireless terminal point includingthe WAPI information elements upon reception of the probe responseframe; wherein the WAPI information elements include suites ofauthentication and key management and suites of ciphers supported by thewireless terminal point;

2.1.2) the station transmits a link authentication request frame to theaccess controller for authenticating a link to the access controller;

2.1.3) the access controller transmits a link authentication responseframe to the station in response to the link authentication requestframe of the station;

2.1.4) the station transmits an association request frame to the accesscontroller for association with the access controller upon successfullink authentication by including in the association request a WAPIinformation element determining a suite of authentication and keymanagement and a suite of ciphers selected by the station; and

2.1.5) the access controller parses the association request frame of thestation and transmits an association response frame to the station.

The operation 2.2) includes:

2.2.1) the access controller transmits a WAI execution commencementannouncement to the wireless terminal point to notify the wirelessterminal point about information on the MAC address of the station, aWLAN ID number, an authentication commencement indicator, etc. whereinthe authentication commencement indicator instructs the wirelessterminal point to disabled a controlled port and to merely forward WAIprotocol data originating from the corresponding station; and

2.2.2) the wireless terminal point transmits a WAI executioncommencement announcement response message to the access controller.

The operation 2.3) includes:

2.3.1) performing a WAI authentication process between the accesscontroller and the station;

2.3.2) performing a WAI uni-cast key negotiation process between theaccess controller and the station; and

2.3.3) performing a WAI multi-cast key announcement process between theaccess controller and the station.

The operation 2.4) includes:

2.4.1) the access controller transmits a WAI execution terminationannouncement to the wireless terminal point to notify the wirelessterminal point about information on the MAC address of the station, aWLAN ID number, key data, a suite of ciphers and an authenticationtermination indicator, wherein the authentication termination indicatorinstructs the wireless terminal point to enable a controlled port and toforward all the data including WAI protocol data and other data than theWAI protocol data originating from the corresponding station; and

2.4.2) the wireless terminal point transmits a WAI execution terminationannouncement response message to the access controller.

The operation 2.5) includes:

2.5.1) the wireless terminal point encrypts and transmits data intendedfor the station; and

2.5.2) the wireless terminal point decrypts and forwards dataoriginating from the station.

The method further includes an operation 2.6) of performing of auni-cast key update process between the access controller and thestation after the operation 2.5).

The operation 2.6) includes:

2.6.1) performing a WAI uni-cast key negotiation process between theaccess controller and the station when the uni-cast key needs to beupdated;

2.6.2) the access controller transmits a uni-cast key updateannouncement to the wireless terminal point to announce information onthe MAC address of the station, a WLAN ID, updated uni-cast key data, anupdated suite of ciphers, etc. after the WAI uni-cast key negotiationprocess is performed; and

2.6.3) the wireless terminal point transmits a uni-cast key updateannouncement response to the access controller.

The method further includes an operation 2.7) of performing a multi-castkey update process between the access controller and the station afterthe operation 2.5) or 2.6).

The operation 2.7) includes:

2.7.1) the access controller firstly transmits to the wireless terminalpoint a multi-cast key update commencement announcement includinginformation on a WLAN ID, multi-cast key data, a data Packet Number,etc. when a multi-cast key needs to be updated;

2.7.2) the wireless terminal point transmits a multi-cast key updatecommencement announcement response to the access controller uponreception of the multi-cast key update commencement announcement;

2.7.3) performing a WAI multi-cast key announcement process between theaccess controller and the station;

2.7.4) the access controller transmits to the wireless terminal point amulti-cast key update termination announcement including information ona multi-cast key index, a multi-cast key update termination indicator,etc. after the WAI multi-cast key announcement process is performed; and

2.7.5) the wireless terminal point responds to the multi-cast key updatetermination announcement of the access controller by transmitting amulti-cast key update termination announcement response to the accesscontroller.

The invention provides a communication interaction flow between entitiesin the convergent WLAN network architecture of the separated MAC mode.The MAC function and the WAPI function of the AP are separated onto theWTP and the Access Controller (AC) so that the WTP performs interactionof real-time information (including a beacon frame, a response to aprobe request frame, etc.) with the station (STA) as required in thestandard GB 15629.11 and executes the WPI protocol and AC performsnon-real-time interaction (including association, the WAI protocol,etc.) with the STA. This mode with division of the AP functions isreferred to as the separated MAC mode with the WPI being implemented bythe WTP. The invention has the following advantages over the prior art:the invention proposes a method for implementing a convergent WAPInetwork architecture in a separated MAC mode, which obviates thelimitation of the existing autonomous network architecture based uponthe WAPI protocol in which a demand for deploying a large-scale WLAN cannot be accommodated. With the separated MAC mode, the AC performsuniform monitoring, configuring and control of WTPs for the purpose ofcentralized management on WTPs over the WLAN; and the AC executes theWAI protocol and the WTP executes the WPI protocol so that the WAPIprotocol and the convergent WLAN architecture are integrated seamlesslyto secure the WLAN. In summary, the invention can both accommodate ademand for deploying a large-scale WLAN and secure the WLAN in theconvergent architecture.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart of messages in a convergent WAPI networkarchitecture of a separated MAC mode in which a WPI is implemented by aWTP;

FIG. 2 is a flow chart of updating a uni-cast key between an AC and anSTA; and

FIG. 3 is a flow chart of updating a multi-cast key between an AC and anSTA.

DETAILED DESCRIPTION

Referring to FIG. 1, a specific method according to a preferredembodiment of the invention is as follows.

1) A separated MAC mode with a WPI implemented by a wireless terminalpoint is constructed: an MAC function and a WAPI function of an AP areseparated onto the Wireless Terminal Point (WTP) and an AccessController (AC);

2) A WAPI and a convergent WLAN network architecture are integrated inthe separated MAC mode with the WPI implemented by the wireless terminalpoint;

2.1) An association connection process between an STA and both the WTPand the AC:

2.1.1) the STA listens passively to a beacon frame of the WTP andacquires

WTP related parameters including WAPI information elements, e.g., suitesof authentication and key management and suites of ciphers supported bythe WTP, etc.; or the STA transmits on its own initiative a proberequest frame to the WTP, the WTP transmits a probe response frame tothe STA upon reception of the probe request frame of the STA, and theSTA acquires the WTP related parameters including the WAPI informationelements, e.g., the suites of authentication and key management and thesuites of ciphers supported by the WTP, etc., upon reception of theprobe response frame of the WTP;

2.1.2) the STA transmits a link authentication request frame to the ACfor authenticating a link to the AC upon reception of the probe responseof the WTP;

2.1.3) the AC transmits a link authentication response frame to the STAin response to the link authentication request frame of the STA;

2.1.4) the STA transmits an association request frame to the AC forassociation with the AC upon successful link authentication by includingin the association request a WAPI information element determining asuite of authentication and key management and a suite of ciphersselected by the STA; and

2.1.5) the AC parses the association request frame of the STA andtransmits an association response frame to the STA.

2.2) A WAI protocol execution commencement announcement process betweenthe AC and the WTP:

2.2.1) the AC transmits a WAI execution commencement announcement to theWTP to notify the WTP about information on the MAC address of the STA, aWLAN ID number, an authentication commencement indicator, etc., wherethe authentication commencement indicator instructs the WTP to disableda controlled port and to forward only WAI protocol data originating fromthe corresponding STA; and

2.2.2) the WTP transmits a WAI execution commencement announcementresponse message to the AC.

2.3) A WAI protocol execution process between the STA and the AC:

2.3.1) a WAI authentication process between the AC and the STA;

2.3.2) a WAI uni-cast key negotiation process between the AC and theSTA; and

2.3.3) a WAI multi-cast key announcement process between the AC and theSTA.

2.4) A WAI protocol execution termination announcement process betweenthe AC and the WTP:

2.4.1) the AC transmits a WAI execution termination announcement to theWTP to notify the WTP about information on the MAC address of the STA, aWLAN ID, key data, a suite of ciphers, an authentication terminationindicator, etc., where the authentication termination indicatorinstructs the WTP to enable the controlled port and to forward all thedata including WAI protocol data and other data than the WAI protocoldata originating from the corresponding STA; and

2.4.2) the WTP transmits a WAI execution termination announcementresponse message to the AC.

2.5) An encrypted communication process performed between the WTP andthe STA through the WPI:

2.5.1) the WTP encrypts and transmits data intended for the STA; and

2.5.2) the WTP decrypts and forwards data originating from the STA.

Referring to FIG. 2, the flow of the invention further includes anoperation 2.6) of a uni-cast key update process between the AC and theSTA:

2.6.1) a WAI uni-cast key negotiation process is performed between theAC and the STA when a uni-cast key needs to be updated;

2.6.2) the AC transmits a uni-cast key update announcement to the WTP toannounce information on the MAC address of the STA, a WLAN ID, updateduni-cast key data, an updated suite of ciphers, etc., after the WAIuni-cast key negotiation process is performed; and

2.6.3) the WTP transmits a uni-cast key update announcement response tothe AC.

Referring to FIG. 3, the flow of the invention further includes anoperation 2.7) of a multi-cast key update process between the AC and theSTA:

2.7.1) the AC firstly transmits to the WTP a multi-cast key updatecommencement announcement including information on a WLAN ID, multi-castkey data, a data Packet Number (PN), etc., when a multi-cast key needsto be updated;

2.7.2) the WTP transmits a multi-cast key update commencementannouncement response to the AC upon reception of the multi-cast keyupdate commencement announcement;

2.7.3) a WAI multi-cast key announcement process is performed betweenthe AC and the STA;

2.7.4) the AC transmits to the WTP a multi-cast key update terminationannouncement including information on a multi-cast key index, amulti-cast key update termination indicator, etc., after the WAImulti-cast key announcement process is performed; and

2.7.5) the WTP responds to the multi-cast key update terminationannouncement of the AC by transmitting a multi-cast key updatetermination announcement response to the AC.

In the foregoing embodiments, a secure channel between the AC and theWTP may be preset in order to secure the key data in the operations2.2), 2.4), 2.6) and 2.7). The secure channel may be established througharranging a private network between the AC and the WTP or utilizing asecurity protocol (e.g., the Datagram Transport Layer Security (DTLS)protocol).

1. A method for implementing a convergent Wireless Local Area Network,WLAN, Authentication and Privacy Infrastructure, WAPI, networkarchitecture in a separated Medium Access Control, MAC, mode,comprising: 1) separating an MAC function and a WAPI function of awireless access point onto a wireless terminal point and an accesscontroller to construct a separated MAC mode with a Wireless Local AreaNetwork, WLAN, Privacy Infrastructure, WPI implemented by the wirelessterminal point; and 2) integrating the WAPI and a convergent WirelessLocal Area Network, WLAN, network architecture in the separated MAC modewith the WPI implemented by the wireless terminal point; and wherein theoperation 2) comprises: 2.1) performing an association connectionprocess between a station and both the wireless terminal point and theaccess controller; 2.2) performing a Wireless Local Area Network, WLAN,Authentication Infrastructure, WAI, protocol execution commencementannouncement process between the access controller and the wirelessterminal point; 2.3) performing a WAI, protocol execution processbetween the station and the access controller; 2.4) performing a WAIprotocol execution termination announcement process between the accesscontroller and the wireless terminal point; and 2.5) performing anencrypted communication process between the wireless terminal point andthe station through the WPI.
 2. The method for implementing a convergentWAPI network architecture in a separated MAC mode according to claim 1,wherein the operation 2.1) comprises: 2.1.1) the station listenspassively to a beacon frame of the wireless terminal point and acquiresparameters of the wireless terminal point comprising WAPI informationelements; or the station transmits on its own initiative a probe requestframe to the wireless terminal point, the wireless terminal pointtransmits a probe response frame to the station upon reception of theprobe request frame of the station, and the station acquires theparameters of the wireless terminal point comprising the WAPIinformation elements upon reception of the probe response frame of thewireless terminal point; wherein the WAPI information elements comprisesuites of authentication and key management and suites of cipherssupported by the wireless terminal point; 2.1.2) the station transmits alink authentication request frame to the access controller forauthenticating a link to the access controller; 2.1.3) the accesscontroller transmits a link authentication response frame to the stationin response to the link authentication request frame of the station;2.1.4) the station transmits an association request frame to the accesscontroller for association with the access controller upon successfullink authentication by comprising in the association request a WAPIinformation element determining a suite of authentication and keymanagement and a suite of ciphers selected by the station; and 2.1.5)the access controller parses the association request frame of thestation and transmits an association response frame to the station. 3.The method for implementing a convergent WAPI network architecture in aseparated MAC mode according to claim 1, wherein the operation 2.2)comprises: 2.2.1) the access controller transmits a WAI executioncommencement announcement to the wireless terminal point to notify thewireless terminal point about information on the MAC address of thestation, a WLAN ID number and an authentication commencement indicator,wherein the authentication commencement indicator instructs the wirelessterminal point to disabled a controlled port and to forward only WAIprotocol data originating from the corresponding station; and 2.2.2) thewireless terminal point transmits a WAI execution commencementannouncement response message to the access controller.
 4. The methodfor implementing a convergent WAPI network architecture in a separatedMAC mode according to claim 1, wherein the operation 2.3) comprises:2.3.1) performing a WAI authentication process between the accesscontroller and the station; 2.3.2) performing a WAI uni-cast keynegotiation process between the access controller and the station; and2.3.3) performing a WAI multi-cast key announcement process between theaccess controller and the station.
 5. The method for implementing aconvergent WAPI network architecture in a separated MAC mode accordingto claim 1, wherein the operation 2.4) comprises: 2.4.1) the accesscontroller transmits a WAI execution termination announcement to thewireless terminal point to notify the wireless terminal point aboutinformation on the MAC address of the station, a WLAN ID number, keydata, a suite of ciphers and an authentication termination indicator,wherein the authentication termination indicator instructs the wirelessterminal point to enable a controlled port and to forward all the dataoriginating from the corresponding station; and 2.4.2) the wirelessterminal point transmits a WAI execution termination announcementresponse message to the access controller.
 6. The method forimplementing a convergent WAPI network architecture in a separated MACmode according to claim 1, wherein the operation 2.5) comprises: 2.5.1)the wireless terminal point encrypts and transmits data intended for thestation; and 2.5.2) the wireless terminal point decrypts and forwardsdata originating from the station.
 7. The method for implementing aconvergent WAPI network architecture in a separated MAC mode accordingto claim 1, further comprising an operation 2.6) of performing of auni-cast key update process between the access controller and thestation after the operation 2.5).
 8. The method for implementing aconvergent WAPI network architecture in a separated MAC mode accordingto claim 7, wherein the operation 2.6) comprises: 2.6.1) performing aWAI uni-cast key negotiation process between the access controller andthe station when a uni-cast key needs to be updated; 2.6.2) the accesscontroller transmits a uni-cast key update announcement to the wirelessterminal point to announce information on the MAC address of thestation, a WLAN ID, updated uni-cast key data and an updated suite ofciphers after the WAI uni-cast key negotiation process is performed; and2.6.3) the wireless terminal point transmits a uni-cast key updateannouncement response to the access controller.
 9. The method forimplementing a convergent WAPI network architecture in a separated MACmode according to claim 1, further comprising an operation 2.7) ofperforming a multi-cast key update process between the access controllerand the station after the operation 2.5).
 10. The method forimplementing a convergent WAPI network architecture in a separated MACmode according to claim 9, wherein the operation 2.7) comprises: 2.7.1)the access controller firstly transmits to the wireless terminal point amulti-cast key update commencement announcement comprising informationon a WLAN ID, multi-cast key data and a data Packet Number when amulti-cast key needs to be updated; 2.7.2) the wireless terminal pointtransmits a multi-cast key update commencement announcement response tothe access controller upon reception of the multi-cast key updatecommencement announcement; 2.7.3) performing a WAI multi-cast keyannouncement process between the access controller and the station;2.7.4) the access controller transmits to the wireless terminal point amulti-cast key update termination announcement comprising a multi-castkey index and a multi-cast key update termination indicator after theWAI multi-cast key announcement process is performed; and 2.7.5) thewireless terminal point responds to the multi-cast key updatetermination announcement of the access controller by transmitting amulti-cast key update termination announcement response to the accesscontroller.